Online auhthentication methods Evaluate the strength of online - PowerPoint PPT Presentation

Online auhthentication methods “ Evaluate the strength of online authentication methods”

Introduction Cornel de Jong S ystem and Network Engineering Universiteit van Amsterdam S upervisors: S pui 21 UvA: 1012WX Amsterdam Cees de Laat Deloitte: Gij s Hollestelle Tom S chuurmans

Research Proj ect Research question: … ” Review new and existing online authentication methods in such a way that it is possible to create a “ Comparison Matrix” which contains the authentication methods, characteristics and protection against attack vectors.” … Research goal: The goal is to define a method to make a well-funded choice for an online authentication method in a customer specific situation, based on the Comparison Matrix.

Agenda • Proj ect background • Authentication methods • Characteristics • Attack vectors • Comparison Matrix • S cenario

November 2007 Antiphishing.org

Authenticate

Multifactor authentication • One-Factor Authentication • Two-Factor Authentication • Three-Factor Authentication

In-Band versus Out-Of-Band

Authentication methods • Password (only) • S IM Toolkit • Hardware Token • Graphical • EMV S martcard • PKI S martcard • One Time Password • Bookmark

Virtual keyboard • No hardware keyboard required • Requires Flash / JavaS cript • Random positioning of the characters • Prevents keylogger attacks • But makes it easier for shoulder surfing and screen capturing

Virtual keyboard examples

Virtual keyboard examples 2 A more sophisticated example of the Dexia bank (Luxembourg) https://secure.dexiapluspro.lu/pro/logon_flash.asp?lang=nl&clifpversion=9&clifpok=true

PassFaces • Graphical authentication • JavaS cript, ActiveX, Java • Completely mobile • User selects a face from each page • Custom image databases available • Prevents keylogger attacks

http://www.realuser.com/enterprise/demo/try_passfaces.htm PassFaces 2

One Time Password manual • Elcard • Different layouts • Different form factors • A S cratch card adds a little more security http://www.elca.ch/live/3/resources/demo_en/main.html

Bookmark authentication • Use a Bookmark as a “ virtual token” • Token is not send over the network • JavaS cript to read the token • No Cookies are used https:/ / site.com/ login#[TOKEN] Examples are: • BeamAuth • PhishCops

Characteristics • Additional hardware • Additional software • Complexity • S calability • Portability • Login time • S ystem requirements • Acquisition costs • Deployment costs • Operating costs

Comparison Matrix Characteristics The Comparison Matrix shows the authentication methods and their characteristics, based on a scale from 1 to 5, where higher is better. • Investigate the available options • Assign values to the authentication methods

Characteristic Authentication methods: s: Comparison Matrix Characteristics Additional Additional System Acquisition Deployment Operating Total hardware software Complexity Scalability Portability Login time requirements Cost Cost Cost score Username & Password 5 5 5 5 5 5 5 5 5 2 47 Partial password 5 5 5 5 5 3 5 5 4 2 44 Virtual Keyboard 5 4 4 4 4 4 4 4 4 2 39 SIM Toolkit (HandyID) 3 1 3 2 4 2 2 3 4 4 28 RSA SecurID 2 5 2 2 3 3 5 1 1 3 27 Passmark Sitekey (now RSA) 5 2 3 3 1 4 5 3 3 4 33 Passfaces 5 5 4 3 5 3 5 3 3 4 40 Passpicture 5 5 4 3 5 3 5 3 3 4 40 EMV Smartcard 1 1 1 2 3 3 1 1 2 3 18 Public Key Infrastructure (PKI) Smartcard 1 1 1 2 3 3 1 1 2 3 18 One Time Password manual (Elcard) 4 5 5 2 3 4 5 4 4 5 41 One Time Password manual (Scratchcard) 4 5 5 2 3 2 5 4 4 5 39 One Time Password automatic (SMS) 3 5 4 4 4 1 3 2 3 4 33 One Time Password synchronous 1 5 1 2 3 3 1 1 2 3 22 One Time Password a-synchronous 1 5 1 2 3 3 1 1 2 3 22 Bookmark authentication 5 5 4 4 2 4 5 3 4 5 41 (Score based on scale 1 -- 5, higher is better)

Attack vectors • S houlder surfing • Keylogger • S creen capturing • Brute force (exhaustive search) • Guess attack (knowing someone) • Dictionary attack • Hardware (observation) attack • S ocial engineering • Phishing attack • Man In The Middle (MITM) attack • Man In The Browser (MITB) attack • Network sniffing • S hort access

Attack vectors explained Guess attack Useful for “ secret questions” (password forgotten). Name of your first pet? / Mothers first name? S earch information through sites like: Hyves and MyS pace. Hardware (observation) attack Vary from copy a TAN code list to an electron microscope.

Attack vectors explained 2 Man In The Browser attack • Installed by a Troj an Horse • S imilar to MITM • Works inside the web browser • No hyperlink to click on • Activates by typing an URL • Hard to prevent and disinfect

Attack vectors explained 3 S hort access Is it possible to do a successful login when an attacker has short physical access to the computer / hardware?

Comparison Matrix Attack vectors The Comparison Matrix shows the authentication methods and the attack vectors. Through the use of values which represent the probability to succeed the attack. Based on a scale from 1 to 5 where higher is a better resistance against the attack. Likely to succeed the attack: • 1 = very likely • 2 = likely • 3 = possible • 4 = not likely • 5 = negligible

Authentication method: Attack vectors: Guess Brute force attack Hardware Man In The Man In The Shoulder Screen (exhaustive (knowing Dictionary (observation) Social Phishing Middle Browser Network Short Total surfing Keylogger capturing search) someone) attack attack engineering attack attack attack sniffing access score: Username & Password 3 1 4 2 2 1 5 3 1 1 2 1 3 29 Partial password 4 3 5 1 3 2 5 3 3 1 2 2 3 37 Virtual Keyboard 1 5 1 2 2 1 5 3 3 1 3 3 3 33 SIM Toolkit (HandyID) 5 4 4 5 5 5 4 5 4 4 5 5 4 59 RSA SecurID 4 4 4 5 5 5 5 5 4 4 4 4 4 57 Passmark Sitekey (now RSA) 3 2 3 3 3 2 5 2 2 3 3 4 3 38 Passfaces 2 5 2 3 1 3 5 3 3 3 3 3 4 40 Passpicture 2 5 2 4 2 3 5 4 3 3 3 3 4 43 EMV Smartcard 4 5 5 5 5 5 5 5 5 4 4 5 4 61 Public Key Infrastructure (PKI) Smartcard 4 5 5 5 5 5 5 5 5 4 4 5 4 61 One Time Password manual (Elcard) 3 4 4 4 5 5 1 3 3 3 3 4 1 43 One Time Password manual (scratch card) 3 4 4 4 5 5 3 3 3 3 3 4 2 46 One Time Password Automatic (SMS) 4 4 4 5 5 5 5 5 4 4 4 4 3 56 One Time Password synchronous 4 4 4 5 5 5 5 5 4 4 4 4 5 58 One Time Password a-synchronous 4 4 4 5 5 5 5 5 5 4 5 4 5 60 Bookmark authentication 3 3 3 3 4 4 5 4 4 4 2 4 3 46 (Likely to succeed the attack: [1 = very likely], [2 = likely], [3 = possible], [4 = not likely], [5 = negligible])

S cenario An online banking site wants to offer customers safe login, even from an internet-cafe abroad. The solution must be highly resistant against: • S houlder surfing • Keyloggers • S creen capturing At least 3 or higher is required for these items (higher is preferred)

S cenario 2 Usable in an internet café abroad This points out 3 important characteristics: • Additional software • Additional hardware • Portability

S cenario 3 When we apply the requirements on the Comparison Matrix Characteristics, this results in the following authentication methods: • Username & Password • Partial password • Virtual Keyboard • PassFaces • Passpictures • One Time Password manual (Elcard) • One Time Password manual (S cratchcard) • One Time Password automatic S MS

hown from the Comp. Matrix S

S cenario 4 The result of the Characteristics is now used in the Comparison Matrix Attack vectors. Here we will check how resistant the authentication methods are against the selected attacks, in this scenario: • S houlder surfing • Keyloggers • S creen capturing

S cenario 5 We now apply the selected attacks on the Comparison Matrix Attack vector. Here we select (from the remaining) authentication methods with a 3 or higher, this results in the following authentication methods: • One Time Password manual (Elcard) • One Time Password manual (S cratchcard) • One Time Password automatic S MS

hown from the Comp. Matrix S

Questions